Category: Information Cards

During one of the hospitality parties at the Burton Group's Catalyst conference I came across the SXIP folks showing their cool new application service “outsourcing appliance” that lets enterprises outsource HR or mail and calendar to companies like Salesforce.com and Google. When employees are inside the firewall, they can just leverage Active Directory or some other LDAP server or authentication system to automatically create a SAML token that will log them into the service.

One of the requirements SXIP has encountered is for employees to be able to securely access these resources from their homes and hotel rooms without introducing the risk of password leaking.

After all, most companies don't want employees revealing their enterprise username and password to service suppliers – but also don't want to support a separate username/password outside the firewall… SXIP's solution: use Information Cards. It's a very simple and nice solution.

While looking at what they've done, I met David Huska, the incredibly fast and energetic engineering guy behind the project. He started telling me about CardSpace and his mother, and I could see he had a great potential CardSpace “elevator pitch” – meaning a way to explain a technology while riding an elevator up a few stories. So I cut him off, pulled out my phone, and asked him to start again. Here's what he said:

Kim: So you were talking about your mother…

Dave: What were you saying about my mother, Kim? Were you talking about my mother?

Kim: I love your mother.

Dave: Alright. CardSpace is an analogy my mother gets. She doesn't understand what I do in a million years, but CardSpace she gets. She sees the cards. Everything else stops. Everything goes away. She can't do anything else until she chooses a card.

When she pulls our her purse, she sees her cards. And with CardSpace, she sees her cards. She can see what card they want from her. She can see the information they're looking for from her. She can decide what she wants to use, or not – what she wants to approve or not.

It's like being in the supermarket. She can decide which card she wants to give – and if she wants to. It makes sense for her. It's simple. Its a clean UI. It's well done.

Kim: (Referring to SXIP's cool new system – that supports Information Cards.) So has your mother actually seen this?

Dave: Yes, she's seen it running on my test machine. She said, “Oh this is what you do. I finally get it.” And I had to say, “Well, this isn't exactly what I do – it's what another company does.” But you got her closer to understanding what I do than just about anything else I've ever shown her. So thank you.

Dave is great – and I love his mother too. Any thanks should be directed to all the people on the CardSpace team who did all the work and refinement and threat modelling and studies, and who are coming out with a nice update in the very near future.

While working on the Laws of Identity and CardSpace, it seemed that each new idea led inevitably to the next. I really had no choice in arriving at the concepts that arose. There was no other way to create an identity layer for the internet.

But as the issues unfolded, it became clear that the road to be travelled wasn't going to be easy. In fact, it was going to be hard. It involved risk. It required people and organizations to rise to challenges that seemed almost impossible. It needed profound goodwill. Do we dare say it required trust?

In the early days, as I shared my conclusions, my colleagues in the blogosphere and the conference rooms would say, “Kim, we don't doubt your personal integrity, or your vision; but surely you can't expect us to believe that Microsoft is really going to back you on this stuff…”

And when I looked coldly at what would be required of Microsoft, I could see that there was probably no large company in the world that could do all the counter-intuitive things necessary for success.

In a world where the erosion of privacy was becoming endemic, I would need a Microsoft relentless in championing privacy.

In a world where you are normally lucky just to get your research funded, I would need a Microsoft that would not only fund but then freely share every aspect of the new technology.

In a world polarized between open-source and inventor-owned software, I would have to ask both sides to work together in a single community for the good of everyone.

Having concluded that the original thinking about Passport broke the laws of identity, I would need a Microsoft willing to admit to the mistake, and show it could learn from it.

Above all, I would need a Microsoft that would let me be completely open about what I was thinking, despite my internal role as an architect. That was the only way I could speak both to Microsoft and to the rest of the industry, to argue for the changes everyone would need make if we were to be successful.

The project could not succeed if we failed to achieve any of these. And then, only after that, you had all the uncertainty associated with the introduction of any new paradigm, and any new product. I would need a team willing to buy fully into all the architectural tenets, and to defend them with passion while building something eminently usable.

Other than love, there is little that is higher in my estimation than authenticity. To actually be the architect of identity I was supposed to be, I would have to express what was required, try to find the language, try to build the context. That's what this blog has been about, transforming itself so that more and more it became a place for me to learn and to work.

If this has all been a voyage, this week was a milestone. The interoperability event at the Burton Group's Catalyst conference was stunning (more later). The combined impact of the open source community and Microsoft and many other companies charging into this new world of Information Cards and claims-based computing was intoxicating.

But there was a second milestone as well – one which I had never predicted. And although it seems like a personal one, it really isn't, so I hope you will let me share it with you.

I received an award from my colleagues at Microsoft. Here's the congratulatory letter:

On behalf of Microsoft, we want to congratulate you for your outstanding contributions to Trustworthy Computing during the last year.

In recognition of your efforts – which stem from your passion, determination and leadership – you have been chosen to receive the Trustworthy Computing Privacy Award. Your work is having a tremendous impact across the company, and has significantly improved customers’ interactions with Microsoft.

Specifically, your Laws of Identity, and the work you are leading on the Identity Metasystem, is establishing the foundation for electronic credentials in the virtual world, and is leading a renaissance for identity solutions. By placing individuals at the center of trust decisions and establishing contextual frameworks where credentials can be recognized, these laws are able to address security requirements while respecting the privacy needs of individuals. These seven laws, and the identity metasystem, governed the design of the potentially game-changing functionality of Windows CardSpace.

The Trustworthy Computing Privacy Award is a key achievement that recognizes outstanding contributions in advancing an important company tenet. It acknowledges and rewards individuals and teams who have pioneered noteworthy process improvements and innovations in their pursuit of trustworthy computing. Receiving the Trustworthy Computing Privacy Award is a level of recognition that only few of our finest employees achieve. Everyone involved in this project should be extremely proud of this accomplishment.

Congratulations again on your achievement, and congratulations on your efforts.

Sincerely

Bill Gates, Chairman, and

Scott Charney, Corporate Vice President, Trustworthy Computing.

Not only had Microsoft supported my work. It had risen to the extreme challenges my work set for it. And this would not have been possible without the contribution of many others, like Scott Charney, who were working to guide Microsoft in the same direction I was.

I was especially happy to receive the award from Bill Gates, whose vision reaches across every aspect of technology. He, above anyone else, is the symbol of a Microsoft that “gets” identity, and I thank him very deeply.

I don't normally get into a lot of stuff about Microsoft on the blog, but this award thing has made me stop and think about what she has been willing to do, OSP and all. I congratulate her on what she has done already, and will continue to do, to move us closer to the identity big bang.

I want to congratulate Mike Jones and my other colleagues for all their work in creating and figuring out how to protect an Information Card icon that can be used by everyone worldwide who supports InfoCard technology. Creative people, legal people, and marketing folks all helped bring this to fruition. Here's Mike's post:

Iâ€™m very pleased to announce that, as of today, there is now a graphical icon freely available for people to use to indicate that â€œInformation Cards are accepted hereâ€. This icon is intended to provide a common visual cue that Information Cards can be used to provide information to a site or program, similarly to how the RSS icon is used to indicate the availability of syndicated content.

The guidelines for the use of the icon, a frequently asked questions document, a set of png images of the icon rendered in a range of sizes, and the original artwork in Illustrator format are all available together in a download package. Please consult the guidelines and the FAQ before using the icon. [You can also download the icon package here – Kim]

And just for fun, because the icon is, after all, a graphical element, hereâ€™s a gallery of the renderings of the icon that we included in the downloads package. Enjoy!

OK Mike – I just updated my login page too. I used to have the picture of my heroine Elastigirl as my InfoCard icon, but it's time to move on. I'll continue to honor her through the quote at the top of my blog.

For the curious, Mike's posting includes the definitive series of icon variants – an outstanding display of Warholian excess.

Over at self-issued, Mike Jones picked up on the OSIS Wiki Page reporting on the recent Information Card Connect-a-thon. Maybe the most encouraging thing was to see new players show up with working bits:

The OSIS group sponsored an Information Card interoperability connect-a-thon on May 15, 2007 as part of the Internet Identity Workshop 2007 A in Mountain View California. Participants collaborated to work through combinations of Identity Provider, Identity Agent, and Relying Party scenarios, in order to identify and workshop problems with interoperability. The following representatives were present and participated:

5 Information Card Selectors

Ian Brownâ€™s Safari Plugin

XMLDAP

Windows Cardspace

Higgins IdA Native

Higgins IdA Java

11 Relying Parties

Bandit (basic wiki authentcation)

Bandit (elevated privileges)

PamelaWare

CA

XMLDAP

Windows Live RP (used to obtain a managed card)

Windows Live/single-issuer (where you can use the managed card)

Oracle RP

Identityblog RP (based on Rob Richardsâ€™ library)

Identityblog helloworld token RP

UW/Shibboleth

7 Identity Providers

Higgins

Bandit

XMLDAP

UW/Shibboleth

LiveLabs

HumanPresent

Identityblog HelloWorld IdP

4 Token Types

SAML 1.0

SAML 1.1

helloworld

username token

2 Authentication Mechanisms

username/password

self-issued (personal) card

Many combinations interoperated as expected; several issues were identified and are being fixed in preparation for the coming Information Card Interop event to be held at the Burton Group Catalyst Conference in San Francisco (June 25-29).

But there is another thing I don't understand lately. CardSpace is shipping now for almost half a year in its RTM version. And yet, I have never come across a production site (except this one) that uses it. You post all these fantastic anouncements of new groups that will support this, but out there on the web, very little adoption seems to take place. And in particular, there seems to be not a single Microsoft site that uses it. Why? Contrary, the one huge MS group where I would have thought they might use it (Windows Live ID and all the sites that use it) seems to be even implementing their own identity selector.

Quite frankly, right now my impression is that what is needed most is some highly visible commitment from MS itself to this idea and to implement it widespread on its platform. I am just quite sceptical that anyone else will use this widespread, unless you do the first step.

Make no mistake: you will see deep Microsoft support. But you need to give us time to roll it out, just as we need to give others in the industry time to do the same.

Using your example of Windows Live ID, it is a huge production system handling a billion authentications a day. There are strict requirements for introducing new software. In fact, some of them arose through input from policy makers. Much more is involved than “wanting to do something” and coming up with “bits” suitable for use on such an enormous site. There is Process.

The same is true in terms of integrating the new technology into our federation product, Active Directory Federation Service (ADFS). There is a whole team working on CardSpace support, so administrators will be able to give their Active Directory (AD) users Information Cards at the flick of a switch. But we want to do it as well as we can, and in the most secure way possible, and we can't do that over night.

My colleagues and I wanted to see CardSpace bits get into circulation as early as possible – even if service offerings weren't ready yet. Why?

Socket and Ecosystem Days

The problem with identity is getting the infrastructure in place. Some great talent – I don't know who – pointed this out when he said, “The Public Key Infrastructure (PKI) is great except for one thing: the public has no keys”…

CardSpace eliminates the need to “give the people keys”. But the bits still have to “get out there” before it will work. We are still in “Socket and Ecosystem Days”, when sockets start to appear on desktops and people running web sites can move past “but nobody has information cards” and get to “hey, everyone is going to have them”.

Our first job was to ship CardSpace V1.0 so Information Cards became “real”. Now we need to distribute bits. And finally we need to lead in adoption, just as you say.

CardSpace can't succeed without its sister implementations on other platforms. It also needs relying party software in a dozen languages to run on all platforms. And identity provider software.

These are just starting to emerge. But all this is happening in a methodical and persistant way. I think of it as “ecosystem time”.

I'll post the report that appeared on the OSIS wiki describing the Connect-a-thon held at a recent IIW. You will see the degree to which the ecosystem is growing.

Meanwhile, Windows Live ID plans to introduce Information Card support this summer. At that point, all the Microsoft properties will be enabled. The integration will grow progressively stronger over time.

Establishing identity and authenticating on the web are a mess. I doubt Iâ€™m alone in using the same user id and password over and over again. If theyâ€™re hacked once they can be employed a hundred times over. Yeah, some sites make you change your password at regular intervals, but how do you remember them? I write them down, and carry them with me. OK, theyâ€™re somewhat encoded, but …

For some time now, there has been the possibility of improvement under the â€œIdentity 2.0â€ banner. To the surprise of some (many?), a significant chunk of Identity 2.0 innovation has come from Microsoft, and no, no, no, itâ€™s not â€œPassportâ€. It is expressed in two seminal papers: The Laws of Identity and The Identity Metasystem, both by Kim Cameron.

But this is not all. There is a Microsoft product. Itâ€™s called â€œCardSpaceâ€ (it used to be called â€œInfo Cardâ€). It ships as part of Vista. It also ships as an automatic XP upgrade, and there are a host of alternatives, including open source ones.

CardSpace and its analogues, on their own, are not a solution. They are a component, albeit a key one, of an Identity Metasystem. What needs to come next is for web sites (â€œRelying Partiesâ€) to start requesting and employing CardSpace-managed security assertions. This in turn will create a demand for Identity Provision (yes, this is where ActiveDirectory and son of Passport come in).

Will this happen? Itâ€™s too early to say. But by seeding the digital world with CardSpace, Kim and Microsoft have taken us a long first step down this path, and IMHO done us all a big favor.

It took me a minute to click in to the name Nick Shelness. He is a great visionary – CTO at Lotus and later an IBM fellow (now with his own practice in the UK). His support means a lot to me.

As for his “will it happen?” question, I've asked it too on a hundred ‘bleak and dreary days’. But I continue to think there are historical inevitabilities at work here.

Distributed computing is dammed up behind a wall of identity friction. The one good thing about the friction is that it limits phishing and cyber crime as much as it limits business. Remove the friction with something like single sign-on and you massively increase the attraction of the digital honeypot, providing a one-stop attack surface for evil. The more consolidated identity initiatives succeed, the more they will fail – unless there is a paradigm change like CardSpace that compensates for risk aggregation.

Few may understand these dynamics through theory alone, but Professor Reality will come to tutor them before too long. Meanwhile, there are more and more people with enough vision that they don't have to “go over Niagra Falls in a barrel to know it hurts.”

Day after day, week after week, month after month, CardSpace “sockets” are appearing on desktops. One day – not too far into the future – it will be present on 50% of them. Then on 75%! Meanwhile the software will get slicker and slicker, with multiple versions and choices by people like our friends at Higgins running on Mac and Linux. This is a historic thing we are doing together, and we can't be impatient. But this baby is going to light up big time.

Jeff Bohren at BMC Software has an interesting take on CardSpace and TEG – as well as other related matters. And in this posting he says that BMC Software will be participating in the interoperability event at the next Burton Catalyst. This really adds to the momentum.

There will be a User Centric interoperability event at the next Burton Catalyst in SF. This will bring together several IdM vendors and open source projects to demonstrate interoperability between different implementations of Cardspace/InfoCard and OpenID. BMC Software will be participating. We will also have a hospitality suite the following night. I will be there so if you want to drop by I would be glad to talk with you about IdM issues.

Mike Jones from Microsoft has some great Cardspace/InfoCard resources on his blog. If you are interested in this area, you should definitely check this out. You should also check out Pamela Dingleâ€™s introduction to Cardspace.

Microsoft has recently announced that they have sold over 40 million copies of Vista in the first 100 days since its release. Obviously not all of those are installed and in use, but this still a lot of users. And every one of them is a potential Cardspace user.

If IE isnâ€™t your cup of tea, there are several other option available. Xmldap.org has a plug-in for Firefox. I gave it a try, but for some reason I could not use it to do InfoCard authentication to Kim Cameronâ€™s blog, which you can obviously do with CardSpace.

There has been a recent spurt of debate over at the TEG mailing list about Cardspace. I donâ€™t want to waste TEG bandwidth on what is really a tangential issue, so here is my take on the value of Cardspace/InfoCard.

The best way to think of the value of Self-Issued InfoCards is to think of them as analogous in feature to end-user SSL client certificates. In essence they are a holder-of-key style authentication that can be used by itself or in conjunction with a password based authentication to dramatically improve the security of the authentication process. Like client certificates, InfoCards authenticate the computer the user is on, not the user. They further have the advantage of presenting a very user friendly graphical mechanism to select what identity should be used.

While all InfoCard implementations have this value, Cardspace goes further and adds additional features to thwart phishing, man-in-the-middle-attacks, and software key loggers. If the US banks where smart, they would adopt InfoCard as their solution to comply with FFIEC guidance for on-line banking. Cardspace/InfoCard could be used as a second factor of authentication to use for financially sensitive transactions. Not as a replacement for passwords, but as a supplement. And best of all (to the bank) there is zero cost on a per user basis.

For enterprises there is an important potential value for InfoCards, and it has nothing to do with internal authentication. The value is by using InfoCards, an employee of a company can easily choose different identities depending on whether he is representing the company in a specific transaction or not. It has to do with separating personal from professional personas. A company could issue a managed InfoCard to each employee for use for their professional persona and establish best practices for using their self-issued InfoCards for personal business. Now you can do this without InfoCards by creating multiple IDs, but as a practice no one does that.

Update 5-24-07

Shibboleth just announced that they will add support for Cardspace/Infocard in the Shibboleth architecture. Kim Cameron's thoughts about it are here and Mike Jone's comments are here. This is a great development. The Shibboleth project has a great deal of respect and mind share in the identity community.

I'm not sure I agree that InfoCards authenticate the computer the user is on, and not the user. I think that depends on whether they are combined with a challenge such as a one-time password. I hope Jeff writes more about what he means by this.

We will shortly begin beta testing an age and identity verification system, which will allow Residents to provide a one-time proof of identity (such as a driverâ€™s license, passport or ID card) and have that identity verified in a matter of moments.

Second Life has always been restricted to those over 18. All Residents personally assert their age on registration. When we receive reports of underage Residents in Second Life, we close their account until they provide us with proof of age. This system works well, but as the community grows and the attractions of Second Life become more widely known, weâ€™ve decided to add an additional layer of protection.

Once the age verification system is in place, only those Residents with verified age will be able to access adult content in Mature areas. Any Resident wishing to access adult content will have to prove they are over 18 in real life.We have created Teen Second Life for minors under the age of 18. Access to TSL by adults is prohibited, with minors not allowed into the rest of Second Life.

For their part, land owners will be required to flag their land as â€˜adultâ€™ if it contains adult content using the estate and land management tools provided to landowners. This flag will protect landowners from displaying inappropriate content to underage users who may have entered Second Life. Landowners are morally and legally responsible for the content displayed and the behavior taking place on their land. The identity verification system gives them new tools to ensure any adult content is only available to adults over 18 because unverified avatars will not have access to land flagged as containing adult content.

We hope youâ€™ll agree that the small inconvenience of doing this once is far outweighed by the benefits of protecting minors from inappropriate content. Further, this system will assist landowners in engaging in lawful businesses.

The verification system will be run by a third party specializing in age and identity authentication. No personally identifying information will be stored by them or by Linden Lab, including date of birth, unless the Resident chooses to do so. Those who wish to be verified, but remain anonymous, are free to do so.

The idea of presenting a passport to get into an imaginary adult establishment strikes me as nutso. I must be missing a gene. It is certainly a conundrum, this virtual world.

I think that rather than adopting this one-off inspector approach, outfits like Second Life and all the other big web sites should get together to accept registration claims from whatever identity providers would fully guarantee both accuracy and the anonymity of their users. Information Cards combined with the anonymous credential technology developed by people like Stefan Brands would provide the ideal solution.

More than a decade ago I happened upon this programming language called C+-, pronounced â€œC, more or lessâ€:

Unlike C++, C+- is a subject-oriented language. Each C+- class instance, known as a subject, holds hidden members, known as prejudices or undeclared preferences, which are impervious to outside messages, as well as public members known as boasts or claims.

Of course it was a joke and I laughed, but the joke stung a bit. It had occurred to me that a claims-based system like this could actually be useful. I had even come up with the name â€œsubject-orientedâ€ for it. So it hurt a bit to find the idea â€œout thereâ€ only as the butt of a joke.

Cameron said the flexible claims architecture, which is based on standard protocols such as WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML) will replace todayâ€™s more rigid systems that are based on a single point of truth [â€¦]

The claims model, he said, is more flexible and based on components that can be snapped together like Lego blocks. Cameron called them Legonic Systems, which, he said, are agile and self-organizing much like service-oriented architectures. The Legonic identity system is rethinking what users know today, he said, and is defined by a set of claims one subject makes about another.

Formulations like this make it clear how fundamental the coming â€œidentity revolutionâ€ in computing could be. The German philosopher Hans Blumenberg argued in his book The Legitimacy of the Modern Age that modern science emerged from the sterility of medieval Scholasticism precisely because of its â€œrenunciation of exactitude.â€ In other words, modern science emerged by replacing the idea of â€œeternal truthâ€ with that of subjective claims and methodical doubt as epitomized in Descartes.

Recently I was interviewed by Richard Campbell and Greg Hughs on RunAsRadio. You might have heard of Richard… he's also the host of .Net Rocks!. Where .NET Rocks! is for developers, RunAsRadio is for IT Pros.

Anyways, if you would like to listen to the interview we did on CardSpace, you can download it here. Its about a half hour long, and is a simple introduction to the world of Cardspace, atleast for the client side perspective.

For those already versed in the subject, you will notice a few term definition problems in the interview. It went by so fast, and I didn't make it clear what I was getting at. For those that don't know, here is a primer that may help understand how I talk about digital identity:

InfoCard : An information card. The previous code name for Cardspace [but now the name of the underlying technology – Kim]

Identity Card: Generic term to mean a piece of digital information that represents your identity [definition not recommended – Kim]

Identity Provider: As the name implies, a provider of one's digital identity.

Relying Party: A system/application that relies on a digital identity for authentication, and possibly authorization. It is up to this party to decide which Identity Provider(s) it is willing to trust. ie: Web site, LOB app etc

Claim: An assertion of a piece of information belonging to an identity. ie: username, password, age, phone number etc.

Wallet: A piece of software that holds Identity Cards. Vista ships with a wallet that holds Information Cards. You can also download it for XP.

In a couple of places I used the term “credential” where I was really talking about “claims”. And in passing it may sound like I was saying its the Identity Providers (IdP) role to decide who to trust. That didn't come out right. It is up to the relying party to decide which IdP it wishes to trust. In some cases, it will trust you, because you act as the provider. How? Because when you create a a self-issued card and submit it, you are asserting you are who you say you are. It won't be as trusted as much as say… a government IdP. But you get the point. I hope Kim doesn't think about throwing a brick at my head if he hears the interview 🙂 [I love the interview – no brick – Kim]

Anyways, fun interview. Richard and Greg have asked me to come back and do another one where we can explore the server side of things… and discuss how Relying Parties and Identity Providers really work. We may even get into some discussion about Longhorn server and some of the interesting bits there that can be leveraged for the new digital identity ecosystem. Until then… enjoy!

Actually, Dana is remarkably precise while still being interesting. He has made even the hardest leap – separating credentials from claims cleanly enough that he catches himself when at one point he starts to slip.

In the interview Dana says “InfoCards”, and uses the word properly – to refer to the the technology we are working on across the industry. “Windows CardSpace”, on the other hand, is the name of the Microsoft implementation of this technology.

I take full responsibility for confusing everyone in this regard – and apologize to Dana and all my readers – because early in the product cycle I conflated our proposed technology ideas and our Microsoft implementation. Over time we've become very crisp about our usage. CardSpace is the way we store Information Cards on Windows; people abbreviate Information Cards into “InfoCards”.

I do not use and do not like the phrase “Identity Cards” when talking about digital identity.

“Identity Cards” conjure up government-issued citizen identities. While government cards are a legitimate notion when interacting with government sites, we don't want to imply that government-issued identities should be used everywhere or for everything! People need to be able to assert different identities and decide which ones they want to pull out of their “wallets” – just as they do in the physical world.

But I nit-pick. If you want to learn about CardSpace and Information Cards, check out this interview.